You are Here:
Linux Lite 5.0 Final is now available for download and installation



[ SOLVED ] Image magic Malware on 3.4

Author (Read 3635 times)

0 Members and 1 Guest are viewing this topic.

Image magic Malware on 3.4
« on: July 30, 2017, 02:11:11 AM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
Hello folks,

Yesterday plugged in a usb drive with some type malware that took over my LL 3.4 64. Pretty sure it was this drive that started the problem. I saw an application running called image magic. It took over my settings and everything before I could shut down. After restart all of my settings had been changed. I found out this application is being used as a backdoor for other malware.

After reinstall from DVD notice the application is pre-installed in synaptic.

Should I bother to repair drive or should I save me a lot trouble and get new hdd?

Thanks
Shannon
Last Edit: July 31, 2017, 10:24:51 PM by Redchief
 


Re: Image magic Malware on 3.4
« Reply #1 on: July 30, 2017, 04:36:56 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3185
    Posts
  • Country: 00
  • Reputation: 300

  • Linux Lite: 3.2 64bit
Hello Shannon,

I dont know if it is preinstalled, it does come with openshot I installed. It has info here of the patches for it, https://usn.ubuntu.com/usn/usn-3363-1/
If you have used Menu>Install Updates it should be patched, you can check the updates and do a file search for the file names on the link.
Recommended check you Firewall rules Menu>All>Firewall Configuration  delete any rules shown under "rules tab" it should be blank, unless you chose to add a rule. If you didnt choose to add a rule or agree to a rule it is the classic definition of a backdoor, delete it.

Don't need to buy new hdd for this, unless you want a new one.
 

Re: Image magic Malware on 3.4
« Reply #2 on: July 30, 2017, 10:56:00 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1146
    Posts
  • Country: us
  • Reputation: 187
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 5.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Image magic Malware on 3.4
« Reply #3 on: July 30, 2017, 02:02:09 PM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
Fresh reinstall from DVD with updates. No software was installed after reinstall. Nothing in list firewall.

Thank you,

Hello Shannon,

I dont know if it is preinstalled, it does come with openshot I installed. It has info here of the patches for it, https://usn.ubuntu.com/usn/usn-3363-1/
If you have used Menu>Install Updates it should be patched, you can check the updates and do a file search for the file names on the link.
Recommended check you Firewall rules Menu>All>Firewall Configuration  delete any rules shown under "rules tab" it should be blank, unless you chose to add a rule. If you didnt choose to add a rule or agree to a rule it is the classic definition of a backdoor, delete it.

Don't need to buy new hdd for this, unless you want a new one.
 

Re: Image magic Malware on 3.4
« Reply #4 on: July 30, 2017, 02:08:35 PM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
Fresh reinstall from DVD with updates. This package is pre-installed in synaptic. My guess may be off but believe this malware can leave code on hdd the stays there after reinstall. When first compromised had fresh updates also.

Hmm.
Thank you.

https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC
 

Re: Image magic Malware on 3.4
« Reply #5 on: July 30, 2017, 03:40:40 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3185
    Posts
  • Country: 00
  • Reputation: 300

  • Linux Lite: 3.2 64bit
Hello,

check after a while for new updates, regularly do updates.

Menu>System>Resource usage

Observing the activity for "command", Time+, cpu usage, memory usage, to do this with no Firefox/browser and no web apps open, observe few minutes, repeat with web apps open, report back any unusual observances/the details of command being used, and % of resource use.

Hold down Ctrl and Alt keys press T (ctrl+alt+t) to open your terminal.

enter this

Code: [Select]
sudo ufw status verbose
does the reply confirm UFW is running with these settings ? -

Code: [Select]
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

If no enter into your terminal -

Code: [Select]
sudo ufw enable
repeat
Code: [Select]
sudo ufw status verbose
If UFW firewall is not enabling correctly report back this details.

If yes close terminal and check this -
 
Menu>Settings>Firewall Configuration
tab "log" look for unusual
tab "Report" application column, does it show imagemagic ?
If it shows in application column imagemagic , report back port number and protocol it is using.

It shall match from Resource Usage and application column, if only resource usage and not report UFW needs adjusting the logging to high to find its port use and protocol.
Then we to block/deny it next.
Last Edit: July 30, 2017, 04:52:35 PM by bitsnpcs
 

Re: Image magic Malware on 3.4
« Reply #6 on: July 30, 2017, 07:48:19 PM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
Frankly, I was not willing to connect this machine back up to the internet other than for system updates. After that I pull cable and look for things, ask questions here and maybe try to understand what happened before attempting any fixes. Not a pro IT guy to say the least. I guess what my first question should be is should this image magic package be preinstalled? Another question should be what packages rely on image magic software that I cannot do without? If possible remove completely would be a better option if possible.

Thanks,
Shannon


Hello,

check after a while for new updates, regularly do updates.

Menu>System>Resource usage

Observing the activity for "command", Time+, cpu usage, memory usage, to do this with no Firefox/browser and no web apps open, observe few minutes, repeat with web apps open, report back any unusual observances/the details of command being used, and % of resource use.

Hold down Ctrl and Alt keys press T (ctrl+alt+t) to open your terminal.

enter this

Code: [Select]
sudo ufw status verbose
does the reply confirm UFW is running with these settings ? -

Code: [Select]
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

If no enter into your terminal -

Code: [Select]
sudo ufw enable
repeat
Code: [Select]
sudo ufw status verbose
If UFW firewall is not enabling correctly report back this details.

If yes close terminal and check this -
 
Menu>Settings>Firewall Configuration
tab "log" look for unusual
tab "Report" application column, does it show imagemagic ?
If it shows in application column imagemagic , report back port number and protocol it is using.

It shall match from Resource Usage and application column, if only resource usage and not report UFW needs adjusting the logging to high to find its port use and protocol.
Then we to block/deny it next.
Last Edit: July 30, 2017, 08:11:12 PM by Redchief
 

Re: Image magic Malware on 3.4
« Reply #7 on: July 30, 2017, 10:33:20 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3185
    Posts
  • Country: 00
  • Reputation: 300

  • Linux Lite: 3.2 64bit
Yes it is preinstalled. There is some info here about it and dependencies on it. https://askubuntu.com/questions/794588/how-to-remove-imagemagick-without-breaking-its-dependencies
 

Re: Image magic Malware on 3.4
« Reply #8 on: July 31, 2017, 02:45:39 AM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
"For the oldstable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u10."

Looks like this distro install shows imagemagick ubuntu package list as version 8.6.8.9.9-7

Accordingly this version should be ok?
Also, previously did updates either the same day before or the same day event occurred not sure. Puzzling.

Thank you,

Fresh reinstall from DVD with updates. This package is pre-installed in synaptic. My guess may be off but believe this malware can leave code on hdd the stays there after reinstall. When first compromised had fresh updates also.

Hmm.
Thank you.

https://www.debian.org/security/2017/dsa-3914

This is a modern (recently discovered hack) that was not possible on older versions of Deb. As systems evolve new features new ways to compromise them evolve as well. The best reason to run stable systems linked to the security update path. LL has a simple efficient update application. Don't disable it.

TC
 

Re: Image magic Malware on 3.4
« Reply #9 on: July 31, 2017, 03:07:49 AM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
I think the current version i'm running is ok. Still shy about plugging in drive. I left somewhere overnight plugged into a Win7 machine :0 No telln what got on it.

Funny thread.

Thank you.


Yes it is preinstalled. There is some info here about it and dependencies on it. https://askubuntu.com/questions/794588/how-to-remove-imagemagick-without-breaking-its-dependencies
 

Re: Image magic Malware on 3.4
« Reply #10 on: July 31, 2017, 08:10:26 AM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3185
    Posts
  • Country: 00
  • Reputation: 300

  • Linux Lite: 3.2 64bit
Hello,
glad you happy and feeling comfortable in knowing your system is patched. :)
Issues on Linux get patched much quicker than Windows, with update regularly.
Generally at computer, to make a small routine, basic checks like above.
Do Systemback backup and ISO backup before is any kind of problem, such as hardware issues.
Do data back up often add any new files copy/paste it to portable hdd or usb stick.
Not to use usb you found, not to loan it.

The advanced users will know more efficient checks and detailed than I do.

If there is malware designed for Linux mostly it will not run at Windows7, and those huge numbers of Windows malware, virus mostly wont affect Linux.
I don't know if maybe some it can be multi-platform.

If you happy now with the update patch, can you click modify and choose SOLVED please.
 

Re: Image magic Malware on 3.4
« Reply #11 on: July 31, 2017, 09:41:01 AM »
 

trinidad

  • Platinum Level Poster
  • **********
  • 1146
    Posts
  • Country: us
  • Reputation: 187
  • Linux Lite Member
    • dbts-analytics.com

  • Linux Lite: 5.0 64bit

  • CPU: AMD A8 5500 4 cores

  • MEMORY: 8Gb

  • VIDEO CARD: AMD/ATI Radeon HD 7560D

  • Kernel: 5.x
This particular bug is just that. A bug. It was discovered largely because of the other software involved. There is not any malware in the other software just a Debian system vulnerability to the other software whereby malware could be written to control the desktop GUI (denial of service vulnerability) If you are upadated via the Lite updater I'm sure you are fine. It was discovered precisely in the way you discovered it, loss of GUI control. The vulnerabitily was patched in less than week. It was never malware, just a potential vulnerability that allowed for the possibility of a denial of service hack.

TC
Last Edit: July 31, 2017, 09:43:30 AM by trinidad
All opinions expressed and all advice given by Trinidad Cruz on this forum are his responsibility alone and do not necessarily reflect the views or methods of the developers of Linux Lite. He is a citizen of the United States where it is acceptable to occasionally be uninformed and inept as long as you pay your taxes.
 

Re: Image magic Malware on 3.4
« Reply #12 on: July 31, 2017, 04:20:41 PM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
I have been using LL for a couple of years and until then never had any issues. What is still puzzling is the fact I distinctly remember doing an update before i plugged in the drive. I am still reluctant to plug in this drive but don't want to lose data either. There may be files on there I don't have on DVD. Don't know what to do with this drive. My system is patched but afraid to plug in the infected drive. Maybe have a someone with a WIN machine to scan the disk? Need to keep a close eye on that computer and not plug drives into unknown environments like Windows networks :0 Meanwhile keep building more computers with linux.

Thank you,
Shannon


This particular bug is just that. A bug. It was discovered largely because of the other software involved. There is not any malware in the other software just a Debian system vulnerability to the other software whereby malware could be written to control the desktop GUI (denial of service vulnerability) If you are upadated via the Lite updater I'm sure you are fine. It was discovered precisely in the way you discovered it, loss of GUI control. The vulnerabitily was patched in less than week. It was never malware, just a potential vulnerability that allowed for the possibility of a denial of service hack.

TC
Last Edit: July 31, 2017, 04:26:52 PM by Redchief
 

Re: Image magic Malware on 3.4
« Reply #13 on: July 31, 2017, 04:29:41 PM »
 

Redchief

  • Merchandise Supporter
  • New to Forums
  • *****
  • 13
    Posts
  • Country: us
  • Reputation: 0
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Intel i5 quadcore

  • MEMORY: 4Gb

  • VIDEO CARD: GForce 310
Computer is patched but what about this infected drive I need to recover data from?

Thanks,
Shannon


Hello,
glad you happy and feeling comfortable in knowing your system is patched. :)
Issues on Linux get patched much quicker than Windows, with update regularly.
Generally at computer, to make a small routine, basic checks like above.
Do Systemback backup and ISO backup before is any kind of problem, such as hardware issues.
Do data back up often add any new files copy/paste it to portable hdd or usb stick.
Not to use usb you found, not to loan it.

The advanced users will know more efficient checks and detailed than I do.

If there is malware designed for Linux mostly it will not run at Windows7, and those huge numbers of Windows malware, virus mostly wont affect Linux.
I don't know if maybe some it can be multi-platform.

If you happy now with the update patch, can you click modify and choose SOLVED please.
 

Re: Image magic Malware on 3.4
« Reply #14 on: July 31, 2017, 06:20:19 PM »
 

bitsnpcs

  • Platinum Level Poster
  • **********
  • 3185
    Posts
  • Country: 00
  • Reputation: 300

  • Linux Lite: 3.2 64bit
Computer is patched but what about this infected drive I need to recover data from?
Thanks,
Shannon

I am unsure how to do it. It is likely you can use a "sandbox" to open the usb stick in and inspect the files.

Update -
It has some methods how to here -  https://security.stackexchange.com/questions/67001/how-to-use-a-found-usb-key-safely

Last Edit: July 31, 2017, 06:44:58 PM by bitsnpcs
 


Tags:
 


Linux Lite 5.0 Final is now available for download and installation